Venting device for tamper resistant electronic modules

ABSTRACT

A tamper resistant enclosure for an electronic circuit includes an inner copper case, a tamper sensing mesh wrapped around the inner case, an outer copper case enclosing the inner case and the tamper sensing mesh, and a venting device forming a vent channel from inside the inner case to outside the outer case, the vent channel passing between overlapping layers of the tamper sensing mesh and having at least one right angle bend along its length. The venting device consists of two strips of a thin polyamide coverlay material laminated together along their length, and a length of wool yarn sandwiched between the two thin strips and extending from one end of the strips to the other end of the strips to form the vent channel. The length of yarn follows a zig-zag path between the first and second strips, the zig-zag path including at least one right angle bend.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to a venting device for tamper resistantelectronic modules, and more specifically to a venting device forelectronic communications encryption modules that comply with FederalInformation Processing Standards 140-2 (FIPS 140-2), Level 4, securityrequirements.

2. Background Information

Federal Information Processing Standards 140-2 (FIPS 140-2) is astandard that describes U.S. federal government requirements that ITproducts should meet for Sensitive, but Unclassified (SBU) use. TheStandard was published by the National Institute of Standards andTechnology (NIST) in May 2001, and succeeds FIPS 140-1 published by NISTin January 1994. It has been adopted by the Canadian government'sCommunication Security Establishment (CSE), and is likely to be adoptedby the financial community through the American National StandardsInstitute (ANSI). This technology has become of particular interest inthe wake of growing threats to security both at home and abroad.

The standard defines security requirements that must be satisfied by acryptographic module used in a security system protecting unclassifiedinformation within IT systems. There are four levels of security: fromLevel 1 (lowest) to Level 4 (highest). These levels are intended tocover the wide range of potential applications and environments in whichcryptographic modules may be deployed.

Security level 4 provides the highest level of security defined in thestandard. At this security level, the physical security mechanismsprovide a complete envelope of protection around the cryptographicmodule with the intent of detecting and responding to all unauthorizedattempts at physical access. Penetration of the cryptographic moduleenclosure from any direction has a very high probability of beingdetected, resulting in the immediate nullification of all criticalsecurity parameters stored in the module. Security level 4 cryptographicmodules are useful for operation in physically unprotected environments.

The principal features of a typical electronic communications encryptionmodule designed to meet the requirements of FIPS 140-2, Level 4, areillustrated in the cross-sectional view of FIG. 1. At the heart of theencryption module is a circuit card 3 on which are mounted a number ofintegrated circuit chips (not shown) that provide the functionality ofthe encryption module. The circuit card 3 is enclosed in a copper innercase 2. Rivets 4 align the circuit card 3 and hold the cover of theinner case in place. The inner case 2 is wrapped in a tamper sensingresistive mesh 5. To assure complete coverage, the edges of the tampersensing mesh 5 are overlapped on a portion 7 of the inner case 2. Theinner case 2 wrapped in the mesh 5 is encapsulated with polyurethane 6,and the encapsulated assembly placed in a copper outer case 1. Thecomplete enclosure is airtight.

FIG. 2 shows further details of the outside of inner case 2. Windows 12are openings provided for flex cables connecting the circuit card 3 to aPCI printed circuit assembly or similar interface. Windows 22 areopenings through which the tamper sensing mesh 5 will be connected tothe circuit card 3.

FIG. 3 a shows the encryption module at the stage where flex cables 31are connected to the circuit board 3, and the mesh 5 is in the processof being wrapped around the inner case 2. As noted above, flex cables 31connect the circuit card 3 to a PCI printed circuit assembly or similarinterface through windows 12. Mesh cables 15 connect the tamper sensingresistive mesh 5 to the circuit card 3 through windows 22. Thisconnection is illustrated in further detail in FIG. 3 b. Through thisconnection, the circuit board 3 can sense when an attempt is made togain access to the communications encryption module. If the tampersensing resistive mesh 5 is damaged, the hardware on the circuit card 3is programmed to nullify all of the encryption technology within themodule.

The hermetically sealed assembly illustrated in FIGS. 1-3 has exhibitedfailure when exposed to reliability testing conditions that includetemperature cycling, and when used in high temperature applications.FIGS. 4 a-e show the sequence of events leading to mesh damage andfailure. As temperature increases in FIG. 4 a over room temperature,pressure of the trapped air 8 on the enclosing mesh 5 increases inaccordance with the ideal gas law. This causes the mesh to tent in thevicinity of the window 22 through which the mesh enters the inner case2, as shown in FIG. 4 b. Air pressure and polyurethane expansion in theconfined space, as shown in FIG. 4 c, cause deformation of the copperouter case 1. Case deformation allows delamination between the primarylayer and the overlap layer of the mesh 5, as shown in FIG. 4 d. Themesh 5 can fail at this point or when, as shown in FIG. 4 e, the casedeformation is large enough that the mesh-to-mesh delamination reachesthe mesh-to-polyurethane interface.

The use of a vent to relieve internal air pressure in the communicationsencryption module has been considered, but the concern is that even asmall vent would allow access inside the enclosure and therefore violateFIPS 140-2, Level 4 requirements. Moreover it is believed that themanufacture of a tamper sensing resistive mesh allowing for such a ventwould fail independent testing for FIPS compliance due the breach inprotection of the package.

SUMMARY OF THE INVENTION

It is, therefore, a principle object of this invention to provide aventing device for tamper resistant electronic modules.

It is another object of the invention to provide a venting device fortamper resistant electronic modules that solves the above-mentionedproblems.

These and other objects of the present invention are accomplished by theventing device for tamper resistant electronic modules that is disclosedherein.

In an exemplary aspect of the invention, a tamper resistant enclosurefor an electronic circuit, designed to meet FIPS 140-2, Level 4,security requirements, includes an inner case for enclosing theelectronic circuit, a tamper sensing mesh wrapped around the inner casein such a manner that edges of the tamper sensing mesh form overlappinglayers on a portion of the inner case, an outer case enclosing the innercase and the tamper sensing mesh, and a venting device forming a ventchannel from inside the inner case to outside the outer case, the ventchannel passing between the overlapping layers of the tamper sensingmesh and having at least one right angle bend along its length. Theinner case and the outer case are metallic and preferably made ofcopper. Further, an encapsulant, preferably made of a urethane material,fills the space between the inner case and the outer case.

In another aspect of the invention, the venting device is comprised oftwo strips of a thin material laminated together along their length, anda length of yarn sandwiched between the two thin strips and extendingfrom one end of the strips to the other end of the strips to form a ventchannel. In a preferred embodiment, the strips are composed of apolyamide coverlay material, and the yarn is a wool yarn. The ventingdevice may also include a third strip of thin material interposedbetween the first and second thin strips, the third strip having one ormore holes along its length through which the length of yarn is laced asit proceeds from one end of the venting device to the other. In analternative embodiment, the length of yarn follows a zig-zag pathbetween the first and second strips. Preferably, the zig-zag pathincludes at least one right angle bend.

In a further aspect of the invention, a method a manufacturing thesubject venting device includes the steps of placing in a laminatingpress a sandwich comprising two strips of coverlay material each with alayer of thermally activated adhesive, and a length of wool yarninterposed between the two thin strips and extending from one end of thestrips to the other end of the strips to form a vent channel, andlaminating the two strips together with the yarn in between at elevatedtemperature and pressure for a predetermined period of time. For thepreferred embodiment, the laminating process is performed at atemperature of approximately 300° F. and a pressure of approximately 75PSI for a period of approximately 45 minutes. The method may furtherinclude layering sponge rubber on both sides of the sandwich before thelaminating step, and employing in the laminating press platens havinggrooves that defines the vent channel. To manufacture the embodiment ofthe invention in which the vent channel follows a zig-zag path, themethod preferably includes the steps of forming matching holes in thetwo strips of coverlay material and inserting pins through the matchingholes to guide the length of yarn interposed between the two strips in azig-zag path between one end of the strips and the other end of thestrips.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified cross-sectional view of a typical electroniccommunications encryption module designed to meet the requirements ofFIPS 140-2, Level 4.

FIG. 2 is a perspective view showing details of the outside of the innercase of the encryption module of FIG. 1.

FIG. 3 a is a perspective view showing the inner case of the encryptionmodule being wrapped in a tamper sensing resistive mesh.

FIG. 3 b is a simplified cross-sectional view showing the connection ofthe tamper sensing resistive mesh to the circuit card located within theinner case of the encryption module.

FIGS. 4 a-4 e are a series of simplified cross-sectional viewsillustrating a failure mechanism of the tamper sensing resistive mesh atelevated temperatures due to air trapped within the inner case of theencryption module.

FIG. 5 is a cross-sectional view of an electronic communicationencryption module illustrating the placement of a venting deviceaccording to the present invention.

FIG. 6 shows a first embodiment of a venting device for an electroniccommunication encryption module according to the present invention.

FIG. 7 shows a second embodiment of a venting device for an electroniccommunication encryption module according to the present invention.

FIG. 8 shows a third embodiment of a venting device for an electroniccommunication encryption module according to the present invention.

FIG. 9 shows a fourth embodiment of a venting device for an electroniccommunication encryption module according to the present invention.

FIG. 10 is a chart showing internal temperature and pressure versus timeof sealed encryption modules with differing degrees of venting.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The invention will now be described in more detail by way of examplewith reference to the embodiments shown in the accompanying figures. Itshould be kept in mind that the following described embodiments are onlypresented by way of example and should not be construed as limiting theinventive concept to any particular physical configuration.

Further, if used and unless otherwise stated, the terms “upper,”“lower,” “front,” “back,” “over,” “under,” and similar such terms arenot to be construed as limiting the invention to a particularorientation. Instead, these terms are used only on a relative basis.

The present invention is directed to a venting device suitable fortamper resistant electronic module that must meet FIPS 140-2 standardsfor communications encryption equipment. As discussed above, the tamperresistant encryption module typically consists of a circuit card withseveral integrated circuit devices and is mounted inside an innermetallic case with openings for flexcables. The flexcables are used toconnect the card to a PCI printed circuit assembly or other suitableinterface. To make the card tamperproof, an electronic shield in theform of a resistive mesh is wrapped around the inner can. The inner canis enclosed in an outer metallic can with the required polyurethaneencapsulant filling the space between them. The whole assembly is heatedto 80° C. using a specific temperature profile in order for thepolyurethane to cure. During this manufacturing operation air getsentrapped in the inner case and has no way to escape. During operationof the card, the pressure developed by the trapped air is high enough tocause shear delamination and failure of the electronic shield over theflexcable openings in the inner case.

FIG. 5 shows by way of example how a venting device can be added to thecommunications encryption module of FIG. 1 in a manner compliant withthe FIPS 140-2, Level 4, standard. The venting device 10 passes throughan opening in the inner case 2 where there are overlapping layers 5 a, 5b of the tamper sensing mesh 5. The venting device 10 passes between theinner layer 5 a, which is in contact with the inner case 2, and theouter layer 5 b, which is wrapped over the venting device. In theexample shown, there is a 90° bend in the venting device as it exits theinner case, in order to comply with a FIPS 140-2, Level 4, requirementthat a standard vent tube have at least one 90° bend between theinterior of the package and the exterior.

FIG. 6 a-b show side and top views of a first embodiment of a ventingdevice that employs no moving parts. In this embodiment, the ventconsists of a channel formed between two strips 61,62 of a thin materialthat are laminated together along their length. The vent channel itselfis defined by a length of yarn 63 sandwiched between the thin strips61,62.

In this embodiment, the thin strips are made of a coverlay material,which is typically a polyimide or polyester material commonly used as afilm applied to flexible printed circuits to protect and insulate thecopper wiring. Other materials having similar properties can besubstituted.

The yarn acts as a gas-permeable “semisolid” to prevent access to theinside of the module while allowing the passage of air so as to equalizethe pressure in the interior of the inner case to the pressure on theexterior of the outer case. In this embodiment, the yarn consists of twolengths of four-ply wool yarn twisted together. Other types of yarns,such as glass yarn, can be substituted.

To make the venting device shown in this embodiment, the two strips ofcoverlay material, each 0.001 inch thick and each with a 0.001 inchlayer of thermally activated adhesive, are laminated together in astandard flex circuit laminating press at approximately 300° F. and 70PSI for a period of approximately 45 minutes. The yarn adheres to thecoverlay due to the thermally activated adhesive. Sponge rubber orsimilar material is laid on both sides of the coverlay sandwich duringthe laminating process so as not to crush the yarn that forms the ventchannel. To aid in the definition of the vent, the platens of the presscould be made with a channel for the yarn.

As shown in FIG. 5, the venting device according to the first embodimentis inserted through an opening in the inner case 2, and passes betweenthe overlapping layers of tamper sensing mesh 5 and through thepolyurethane 6 between the inner and outer cases. A pressure sensitiveadhesive is used to adhere the venting device to the first layer ofmesh. In use, it is observed that a pressure differential of between 0and 0.1 atmospheres must exist between the inside of the inner case andthe outside of the outer case before air begins to flow between throughthe venting device. This threshold effect is attributed to the pressurethat the cured urethane foam exerts on the sides of venting device.

A second embodiment of the venting device is illustrated in the side andtop views of FIGS. 7 a-b. In this alternate embodiment, another layer 71of thin material, e.g., a 0.001-inch thick polyimide layer, is placed inthe middle of the coverlay/yarn sandwich. A hole 72 is drilled in thepolyimide layer and the yarn passes through the hole, passing from oneside of the polyimide to the other side. By passing from one side of thepolyimide the other side, two 90° of bends are formed in the ventchannel. This satisfies the FIPS 140-2, Level 4, requirement for atleast one 90° bend between the interior of the package and the exterior.

A third embodiment is shown in the side and top views of FIGS. 8 a-b,where a third layer 81 of thin material is also used. However, in thiscase, two holes 82,83 are drilled in the third layer side-by-side, andthe yarn is laced, first through one hole and then back through theother, to emerge on the same side. In this manner, six 90° bends areformed. Further alternative versions of the third embodiment arepossible using different patterns of holes in the third layer ofcoverlay material.

Moreover, it is possible to form the yarn vent channel in a zigzagpattern with any number of 90° bends, without using the third layer as apattern. FIGS. 9 a-9 c illustrate side, top and transverse views,respectively, of a fourth embodiment in which small holes 91, 92 areformed in the coverlay strips 93,94 and pins (not shown) inserted in theholes to act as guides that cause the yarn material to change direction.Once the venting device is formed the pins are removed and the holescovered, such as with a thin acrylate label material (not shown), toprevent air from leaking out.

In the venting device of the foregoing embodiments, the coverlayadhesive not only holds the package together but also serves to hold theyarn in place so that it cannot be pushed out of the way. Because of themany layers of fiber within the yarn, the adhesive also serves to keepthe yarn together as a unit. The coverlay itself is fragile and anyattempts to follow the vent channel through the yarn will damage thecoverlay. When the coverlay is damaged, it gives direct access to damageof the tamper sensitive resistive mesh. If the tamper sensitiveresistive mesh is damaged, the circuitry inside the package isprogrammed to nullify all the encryption technology within the module.Fragile tamper circuitry can be added to the coverlay itself around thevent channel and this can also be monitored by the module to detect anyattempts to gain access to the encryption technology. As anotheralternative, the vent can be made an integral part of the flex cables 31shown in FIG. 3.

As can be seen in FIG. 5, the venting device has a primary 90° bend inthe mesh. FIGS. 7-9 show how further 90° bends can be added as desiredto make access into the package more difficult. These extra 90° bendsshould be made between the layers of mesh for the most optimum function.By being between the layers of mesh, they increase the level of tamperresistance and tamper detection by the module. If required, multiplevents can be added to the module, or multiple channels can be made inone venting device.

Because of the air resistance of the vent channel, the venting processwill take a period of time. The optimum venting time is either much lessthan or somewhat more than one-quarter the period of the thermal cycleto which the module is exposed. As shown in FIG. 10, the worst caseoccurs when the venting time is equal to one-quarter of the cyclingtime. This creates higher peak pressures at high temperatures and lowerlow pressures at low temperatures. Accordingly, the vent time needs tothe optimized to avoid this condition.

Some embodiments of the present invention may further include a lockingcheck valve or the like, either in the vent channel or in a separateduct. The locking check valve in these embodiments should both actuateat a relatively low pressure (e.g., around 0.01 atm) and be sufficientlylimited in valve travel so as to prevent introduction, eitherintentional or accidental, of foreign materials. These embodiments maybe desireable where a high flow rate through the vent channel isrequired.

It should be understood that the invention is not necessarily limited tothe specific process, arrangement, materials and components shown anddescribed above, but may be susceptible to numerous variations withinthe scope of the invention. For example, although the above-describedexemplary aspects of the invention are believed to be particularly wellsuited for tamper resistant communications encryption modules, it iscontemplated that the concepts of the present invention can be utilizedwhenever it is desired to vent any tamper resistant electronic assembly.

It will be apparent to one skilled in the art that the manner of makingand using the claimed invention has been adequately disclosed in theabove-written description of the preferred embodiments taken togetherwith the drawings.

It will be understood that the above description of the preferredembodiments of the present invention are susceptible to variousmodifications, changes and adaptations, and the same are intended to becomprehended within the meaning and range of equivalents of the appendedclaims.

1. A tamper resistant enclosure for an electronic circuit, comprising:an inner case for enclosing the electronic circuit; a tamper sensingmesh wrapped around the inner case in such a manner that edges of thetamper sensing mesh form overlapping layers on a portion of the innercase; an outer case enclosing the inner case and the tamper sensingmesh; and a venting device forming a vent channel from inside the innercase to outside the outer case, the vent channel passing between theoverlapping layers of the tamper sensing mesh and having at least oneright angle bend along its length.
 2. The tamper resistant enclosure ofclaim 1, further comprising: an encapsulant filling space between theinner case and the outer case.
 3. The tamper resistant enclosure ofclaim 2, wherein the encapsulant is composed of a polyurethane material.4. The tamper resistant enclosure of claim 1, wherein the inner case andthe outer case are metallic.
 5. The tamper resistant enclosure of claim5, wherein at least one of the inner case and the outer case is composedof copper.
 6. The tamper resistant enclosure of claim 1, wherein theventing device comprises two strips of a thin material laminatedtogether along their length, and a length of semisolid materialsandwiched between the thin strips and extending from one end of thestrips to the other end of the strips to form the vent channel.
 7. Thetamper resistant enclosure of claim 6, wherein the thin strips arecomposed of a coverlay material.
 8. The tamper resistant enclosure ofclaim 6, wherein the semisolid material is a wool yarn.
 9. A ventingdevice for a tamper resistant enclosure, comprising: two strips of athin material laminated together along their length; and a length ofsemisolid material sandwiched between the thin strips and extending fromone end of the strips to the other end of the strips to form a ventchannel.
 10. The venting device of claim 9, wherein the two thin stripsare composed of a coverlay material.
 11. The venting device of claim 10,wherein the coverlay material is composed of a polyimide.
 12. Theventing device of claim 9, wherein the semisolid material is a yarncomposed of a fibrous material.
 13. The venting device of claim 12,wherein the yarn is a wool yarn.
 14. The venting device of claim 12,wherein the two strips of a thin material are first and second thinstrips, and the venting device further comprises: a third strip of thinmaterial interposed between the first and second thin strips, the thirdthin strip having one or more holes along its length through which thelength of yarn is laced.
 15. The venting device of claim 12, wherein thelength of yarn follows a zig-zag path between one end of the strips andthe other end of the strips.
 16. The venting device of claim 15, whereinthe zig-zag path includes at least one right angle bend.
 17. A method ofmanufacturing a venting device for a tamper resistant enclosure,comprising: providing two strips of coverlay material each with a layerof thermally activated adhesive, and a length of yarn interposed betweenthe two thin strips and extending from one end of the strips to theother end of the strips to form a vent channel; and laminating the twostrips together with the yarn in between at elevated temperature andpressure for a predetermined period of time.
 18. The method of claim 17,wherein the laminating of the two strips together with the yarn inbetween is performed at a temperature of approximately 300° F. and apressure of approximately 75 PSI for a period of approximately 45minutes.
 19. The method of claim 17, wherein the laminating step isperformed in a laminating press with sponge rubber layered on both sidesof the sandwich.
 20. The method of claim 17, wherein the laminating stepis performed in a laminating press having platens with grooves thatdefine the vent channel.
 21. The method of claim 17, further comprising:forming matching holes in the two strips of coverlay material andinserting pins through the matching holes to guide the length of yarninterposed between the two strips in a zig-zag path between one end ofthe strips and the other end of the strips.
 22. The method of claim 17,wherein the yarn is a wool yarn.
 23. The method of claim 17, furthercomprising: inserting a locking check valve in the vent channel.